About Features Downloads Getting Started Documentation Events Support GitHub

Love VuFind®? Consider becoming a financial supporter. Your support helps build a better VuFind®!

Site Tools


Warning: This page has not been updated in over over a year and may be outdated or deprecated.
configuration:permission_options

This is an old revision of the document!


Documentation of permissions improvement for VuFind

Starting with VuFind 3.1 (?) you can configure the behavior of the system, if a user, who doesn't have permission to view something, tries to view something.

In order to do the configuration, you will need two files: permissions.ini (which is already existing and is getting used for permission settings) and permissionBehavior.ini (which is new).

In permissions.ini you can define rules. In permissionBehavior.ini you can set the behavior of a module or other components supported by this module in order to define, what should happen, if a person, who doesn't have the permission to view or to do something, enters a page.

Structure of permissionBehavior.ini

Each permission rule (sections in permissions.ini) can get a section in permissionBehavior.ini. Please use the name of the permission rule as specified in the permission attribute in permissions.ini as the section name in permissionBehavior.ini. Each section in permissionBehavior.ini may have two attributes: permissionDeniedDisplayLogic and permissionDeniedAction.

permissionDeniedDisplayLogic controls the display of links to this element. If you want to show the favorite link only to people, who has logged in, you could define a permission rule in permissions.ini and reference that in permissionBehavior.ini, setting permissionDeniedDisplayLogic to an empty message (as illustrated in an Example beyond).

permissionDeniedDisplayLogic may have one of these options:

permissionDeniedDisplayLogic = "showTemplate:templateName|showMessage:message"

If permissionDeniedDisplayLogic is not set, the template will be displayed normally (as if permission had been granted).

permissionDeniedAction sets the behavior, what should happen, if someone, who has no permission, clicks on a link or tries to view a restricted page. permissionDeniedAction may have one of the following values:

permissionDeniedAction = "promptlogin|exception:exceptionName:exceptionDescription|showMessage:message"
  • promptlogin displays or pops up a login prompt
  • exception throws the exception configured in the action
    • the exceptionName after the colon is the name of the exception you want to throw
    • the exceptionDescription after the colon is an additional message for the exception
  • showMessage displays a message or a translatable string
    • the message after the colon is the message or translateable string, that should be displayed

See the following examples, which should illustrate some use cases with permissionBehavior.

Examples

Some examples to illustrate use cases for these configuration options:

Global settings

  • If a user does something he is not allowed to, show a login page as default (unless a permissionDeniedAction directive overrides that).

PermissionBehavior.ini:

[global] 
defaultAction = "promptlogin" 
  • If a user does something he is not allowed to, show a note as default (unless a permissionDeniedAction directive overrides that).

PermissionBehavior.ini:

[global] 
defaultAction = "showMessage:permission_denied" 

Admin Module

  • Only users from certain IPs are allowed to use the AdminModule. If a user, who is not allowed to use it, enters the Admin module, show a note.

Permissions.ini:

[default.AdminModule] 
ipRange = "10.0.0.1" 
permission = access.AdminModule 

permissionBehavior.ini:

[access.AdminModule] 
permissionDeniedAction = "showMessage:permission_denied_admin" 

Favorites

  • The button to save a record as a favorite record should be only displayed, after a user has logged in.

Permissions.ini:

[default.favoritesSave] 
role[] = loggedin 
permission = favorites.save 

PermissionBehavior.ini:

[favorites.save] 
permissionDeniedDisplayLogic = "showMessage:" 
  • The button to save a record as a favorite record should be always displayed, but if a user is not logged in, he should be forced to login.

That's the default in VuFind now.

Permissions.ini:

[default.favoritesSave] 
role[] = loggedin 
permission = favorites.save 

PermissionBehavior.ini:

[favorites.save] 
permissionDeniedAction = "promptlogin" 

Primo Central

  • You are using the PrimoCentral index and are offering it with a seperate register (SearchTab). The user should be allowed to see the register tab only, if he is in a certain IP range. Otherwise the search tab should not get displayed.

Permissions.ini:

[default.primo] 
require = ANY 
ipRange = "10.0.0.0-10.254.254.254" 
role[] = loggedin 
permission = access.Primo 

PermissionBehavior.ini:

[access.Primo] 
permissionDeniedDisplayLogic = "showMessage:" 
  • You are using the PrimoCentral index and are offering it with a seperate register (SearchTab). Any user should be allowed to see the register tab, but if the tab is clicked, the user should see a note telling him that he needs to be in a certain IP range to use this tab.

Permissions.ini:

[default.primo] 
require = ANY 
ipRange = "10.0.0.0-10.254.254.254" 
role[] = loggedin 
permission = access.Primo 

PermissionBehavior.ini:

[access.Primo] 
permissionDeniedAction = "showMessage:permission_denied_primoaccess" 
  • You are using the PrimoCentral index and are offering it with a seperate register (SearchTab). Any user should be allowed to see the register tab, but if the tab is clicked, system should throw an exception.

Permissions.ini:

[default.primo] 
require = ANY 
ipRange = "10.0.0.0-10.254.254.254" 
role[] = loggedin 
permission = access.Primo 

PermissionBehavior.ini:

[access.Primo] 
permissionDeniedAction = "exception:Forbidden:You are not allowed to do this!" 
configuration/permission_options.1473233971.txt.gz · Last modified: 2016/09/07 07:39 by olli-gold